www.sepetra.com

How to deal with False-Positive Malware Using CISCO CES and Office 365

Hi,

In our configuration we use CISCO Email Security (CES) filtering in front of our Office 365 Exchange Online. If a user sends a message that is legit CISCO or Office 365 may consider a suspect malware and it may get blocked or quarantine. An example is a Power BI file (.pbix) which contains some .js code: it may be blocked even though it is legit and does not pose any harm. To manage this here are some tips.

First thing you can trace the message by sender or subject in Office 365 using https://protection.office.com/messagetrace

Now the inbound mail routing scenarios are:

First Scenario – External messages (ex. @gmail.com to @contoso.com) – Mail routing path is Internet > CES > Office 365

To allow a legitimate message you may want ask sender to zip it. See below what usually happens depending on your configuration

  • Zip with password – if file is zipped with password message gets through CES and Office 365 and gets delivered. Message may get the subject tag: [EXTERNAL] [A/V ENCRYPTED – NOT SCANNED]
  • Zip without password – If sender zips it and try to send it, he may not be even able to send it since his email system may block it on the source.
  • No zip – Same case above. Sender may not be even able to send it since his email system may block it on the source

Second ScenarioInternal messages (ex. @contoso.com or @hotmail.com to @contoso.com) – Mail routing path is Office 365 > Office 365 (same or different tenant)

  • Zip with password – if file is zipped with password message gets thru and user receives it on his inbox fine.
  • Zip without password – if zipped without password message gets thru as well.
  • No zip – message gets quarantine and it is not delivered. Sender receives the non-delivery report below. Admin can release it from quarantine – https://protection.office.com/quarantine

From: postmaster@contoso.org

This message was created automatically by mail delivery software. Your email message was not delivered as is to the intended recipients because malware was detected in one or more attachments included with it. All attachments were deleted.

— Additional Information —:

Subject: without pwd

Sender: joe@contoso.com

Time received: 10/22/2020 1:10:00 PM

Message ID:<SN6PR61D8B79EF1D0@SN6PR17MB2335.namprd1.prod.outlook.com>

Detections found: MyFile.pbix js

Our company offer IT consulting and support services. If you like this article and want to get a quote relate to our services contact us on https://www.sepetra.com/contact-us

Leave a comment